Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
beauty-prompt
v1.3.1装修家具灵感顾问,将用户的家居装修、空间设计需求转化为高质量视觉图像。触发场景:(1) 用户说"帮我生成[XXX]图片",(2) 用户表达装修、家居、空间设计、商业展示等视觉内容需求,(3) 用户需要生成客厅、卧室、厨房等空间效果图。包含需求拆解提问、提示词中英文转化、调用 nano-banana2-apiyi...
⭐ 0· 141·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (convert design requirements into prompts and generate images) aligns with the instructions to ask clarifying questions, build prompts, call an image generator, and deliver results. However, it assumes presence of a separate 'nano-banana2-apiyi' skill/script and an agent '小方设计' (sessions_send) without declaring those as dependencies, making the capability description incomplete.
Instruction Scope
SKILL.md instructs execution of a python script located at a relative path ("{baseDir}/../nano-banana2-apiyi/scripts/generate_image.py"), writes outputs to a shared public workspace output directory, and uses a sessions_send interface to forward commands to another agent. These actions cross skill boundaries and touch filesystem and messaging APIs outside the skill's own scope. The command examples mix Windows-style backslashes and UNIX shell constructs (date substitution), which is inconsistent and may lead to unexpected behavior.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which is low risk from an install perspective.
Credentials
The skill claims it will send generated images via Feishu and call sessions_send, but declares no required environment variables, tokens, or credentials for Feishu or for invoking other agents. It also assumes it can run python and access another skill's script on disk. Requesting or using messaging and filesystem access without declaring required credentials or permissions is disproportionate and opaque.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. However, it assumes the agent runtime can execute commands and write to {workspace}\output; that runtime privilege is normal but should be confirmed.
What to consider before installing
This skill largely does what it claims (prompt construction, web searches for design terms, and generating images), but it contains several unclear or risky runtime assumptions. Before installing or enabling it: 1) Verify the nano-banana2-apiyi skill or script exists at the referenced relative path and inspect that script's behavior and required credentials. 2) Confirm how images will be sent via Feishu (what token/credential is used by sessions_send) and whether those credentials are present or need to be provided; do not supply secrets until you understand where they go. 3) Be aware images are written to the public workspace output directory—confirm retention, access controls, and whether those files may be accessible to other agents or users. 4) Ask the author to declare explicit dependencies (other skills, required env vars, required runtimes) and to fix the platform/path inconsistencies (Windows vs Unix). 5) If you cannot verify the external script and messaging behavior, run the skill in a safe sandbox or decline installation. These inconsistencies are suspicious but do not by themselves prove malicious.Like a lobster shell, security has layers — review code before you run it.
latestvk976gp9h8axc2m0j8q9fmpkfch837ep5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.